DOCSLIB.ORG

Security Policy

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security Policy Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module version rhel8.20200327 FIPS 140-2 Non-Proprietary Security Policy Version 1.1 Last update: 2021-04-26 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.co m © 4/26/21 Red Hat(R), Inc. / atsec information security corporation Page 1 of 29 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1 Cryptographic Module Specification.......................................................................................4 1.1 Module Overview..........................................................................................................4 1.2 FIPS 140-2 validation....................................................................................................6 1.3 Modes of Operations.....................................................................................................7 2 Cryptographic Module Ports and Interfaces............................................................................8 3 Roles, Services and Authentication........................................................................................9 3.1 Roles............................................................................................................................. 9 3.2 Services........................................................................................................................ 9 3.3 Authentication............................................................................................................15 4 Physical Security..................................................................................................................16 5 Operational Environment.....................................................................................................17 5.1 Applicability................................................................................................................17 5.2 Policy..........................................................................................................................17 6 Cryptographic Key Management..........................................................................................18 6.1 Random Number Generation......................................................................................18 6.2 Key Generation...........................................................................................................18 6.3 Key establishment / Key Transport..............................................................................19 6.4 Key / Critical Security Parameter (CSP) Access...........................................................19 6.5 Key / CSP Storage.......................................................................................................19 6.6 Key / CSP Zeroization..................................................................................................19 7 Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)..............................20 8 Self-Tests..............................................................................................................................21 8.1 Power-Up Self-Tests.....................................................................................................21 8.1.1 Integrity Tests....................................................................................................21 8.2 Conditional Tests.........................................................................................................22 9 Guidance.............................................................................................................................. 23 9.1 Cryptographic Officer Guidance..................................................................................23 9.1.1 Secure Installation and Startup.........................................................................23 9.1.2 FIPS module installation instructions:................................................................23 9.1.2.1 Recommended method..................................................................................23 9.1.2.2 Manual method..............................................................................................23 9.2 User Guidance............................................................................................................24 9.2.1 XTS Usage.........................................................................................................24 9.2.2 GCM Usage........................................................................................................24 9.2.3 Triple-DES Usage...............................................................................................24 9.3 Handling Self Test Errors.............................................................................................25 10 Mitigation of Other Attacks................................................................................................26 Appendix A Glossary and Abbreviations..................................................................................27 Appendix B References...........................................................................................................29 © 4/26/21 Red Hat(R), Inc. / atsec information security corporation Page 2 of 29 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Introduction This document is the non-proprietary Security Policy for the Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module version rhel8.20200327. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-2 (Federal Information Processing Standards Publication 140-2) for a Security Level 1 module. © 4/26/21 Red Hat(R), Inc. / atsec information security corporation Page 3 of 29 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 1 Cryptographic Module Specification 1.1 Module Overview The Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module (hereafter referred to as the “Module”) is a software only cryptographic module that provides general-purpose cryptographic services to the remainder of the Linux kernel. The Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module is software only, security level 1 cryptographic module, running on a multi-chip standalone platform. The module is implemented as a set of shared libraries / binary files. Figure 1: Cryptographic Module Logical Boundary © 4/26/21 Red Hat(R), Inc. / atsec information security corporation Page 4 of 29 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy The module is aimed to run on a general purpose computer; the physical boundary is the surface of the case of the target platform, as shown in the diagram below: Figure 2: Cryptographic Module Physical Boundary The following list of packages is required for the module to operate: • the kernel-4.18.0-193.el8 package, which contains the binary files, integrity check HMAC files and Man Pages for the kernel • the libkcapi-hmaccalc-1.1.1-16_1.el8.x86_64 package. The module is made of the following files: • kernel loadable components /lib/modules/$(uname -r)/kernel/crypto/*.ko • kernel loadable components /lib/modules/$(uname -r)/kernel/arch/x86/crypto/*.ko • static kernel binary (vmlinuz): /boot/vmlinuz-$(uname -r) • static kernel binary (vmlinuz) HMAC file: /boot/.vmlinuz-$(uname -r).hmac • sha512hmac binary file for performing the integrity checks: usr/bin/sha512hmac • sha512hmac binary HMAC file: /usr/lib64/hmaccalc/sha512hmac.hmac The kernel provides the HMAC-SHA-512 algorithm used by the sha512hmac binary file to verify the integrity of both the sha512hmac file and the vmlinuz (static kernel binary) file. © 4/26/21 Red Hat(R), Inc. / atsec information security corporation Page 5 of 29 This document can be reproduced and distributed only whole and intact, including this copyright notice. Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy 1.2 FIPS 140-2 validation For the purpose of the FIPS 140-2 validation, the module is a software-only, multi-chip standalone cryptographic module validated at security level 1. The table below shows the security level claimed for each of the eleven sections that comprise the FIPS 140-2 standard: FIPS 140-2 Section Security Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services and Authentication 1 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key Management 1 8 EMI/EMC 1 9 Self Tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A Table 1: Security Levels The module has been tested on the following platforms with the following configuration: Hardware Platform Processor Operating System Tested With PAA (AES- Without PAA
Load more

Recommended publications
  • Oracle® Linux 7 Release Notes for Oracle Linux 7.2
    Oracle® Linux 7 Release Notes for Oracle Linux 7.2 E67200-22 March 2021 Oracle Legal Notices Copyright © 2015, 2021 Oracle and/or its affiliates. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract.
    [Show full text]
  • Developer Guide(KAE Encryption & Decryption)
    Kunpeng Acceleration Engine Developer Guide(KAE Encryption & Decryption) Issue 15 Date 2021-08-06 HUAWEI TECHNOLOGIES CO., LTD. Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Issue 15 (2021-08-06) Copyright © Huawei Technologies Co., Ltd. i Kunpeng Acceleration Engine Developer Guide(KAE Encryption & Decryption) Contents Contents 1 Overview....................................................................................................................................1
    [Show full text]
  • Practical Migration from IBM X86 to Linux on IBM System Z
    Front cover Practical Migration from x86 to Linux on IBM System z A guide to migrating popular applications and services from Linux on x86 to Linux on System z Practical guidance on planning, analysis, and TCO Comprehensive hands-on migration case study Lydia Parziale Eduardo Simoes Franco Craig Gardner Berthold Gunreben Tito Ogando Serkan Sahin ibm.com/redbooks International Technical Support Organization Practical Migration from x86 to Linux on IBM System z September 2014 SG24-8217-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (September 2014) This edition applies to z/VM Version 6.3, DB2 Version 10.5, SUSE Linux Enterprise Server Version 11, and Red Hat Enterprise Linux Version 6. Versions of other software components are incident to the versions available from the respective distributions referenced above. © Copyright International Business Machines Corporation 2014. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix Authors. ix Now you can become a published author, too! . xi Comments welcome. xii Stay connected to IBM Redbooks . xii Chapter 1. Benefits of migrating workloads to Linux on System z . 1 1.1 Benefits . 2 1.2 Reasons to select Linux on System z . 3 1.2.1 System z strengths . 3 1.3 A new type of information technology: Workload centric . 5 1.4 Workload-centric cloud . 7 1.5 Enterprise cloud computing blueprint for System z. 9 1.5.1 Empowered virtualization management: IBM Wave for z/VM.
    [Show full text]
  • Oracle® Linux 7 Release Notes for Oracle Linux 7
    Oracle® Linux 7 Release Notes for Oracle Linux 7 E53499-20 March 2021 Oracle Legal Notices Copyright © 2011,2021 Oracle and/or its affiliates. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract.
    [Show full text]
  • Navigating Linux Systems
    Navigating Linux Systems Amit Jain, Luke Hindman, and John Rickerd Last Revised: August 6, 2018 c 2018 Amit Jain, Luke Hindman, and John Rickerd Acknowledgments This material is based upon work supported by the National Science Foundation under Award No. 1623189. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation The authors would especially like to thank Ariel Marvasti and Phil Gore for their proof reading and suggestions. 2 Contents 1 Departmental Computing Facilities 7 2 Whom to ask for help? 8 3 Beginner’s Guide 9 3.1 Getting started ....................................... 10 3.1.1 Logging in ...................................... 10 3.1.2 Changing your password .............................. 10 3.1.3 Logging out of the system ............................. 10 3.2 Some basics ......................................... 10 3.2.1 Correcting your typing ............................... 10 3.2.2 Special keys ..................................... 10 3.2.3 Case sensitivity ................................... 11 3.2.4 How to find information? ............................. 11 3.3 Files and directories .................................... 13 3.3.1 File names ..................................... 13 3.3.2 Creating files and directories ........................... 14 3.3.3 Your current directory ............................... 14 3.3.4 Changing directories ................................ 14 3.3.5 Your home directory ................................ 14 3.3.6 Special directories ................................. 14 3.3.7 Special files ..................................... 15 3.3.8 Viewing the contents of a text file ........................ 15 3.3.9 Listing files and directories ............................ 15 3.3.10 Wild-cards and file name completion ....................... 16 3.3.11 Copying files or directories ............................ 16 3.3.12 Renaming a file or directory: ..........................
    [Show full text]
  • Lab Worksheet and Assignment Twelve Disks, Partitions, and File Systems
    CST8207: GNU/Linux Operating Systems I Lab Worksheet and Assignment Twelve Disks, Partitions, and File Systems This is Worksheet and Assignment 12 This is a combined Worksheet and Assignment.. Quizzes and tests may refer to work done in this Worksheet and Assignment; save your answers. You will use a checking program at the end of the assignment to verify the correctness of your work. You must upload the check program results before the due date. Before you get started - REMEMBER TO READ ALL THE WORDS You must have your own Fedora 12 virtual machine (with root permissions) running to do this lab. You cannot do this assignment on the Course Linux Server because you do not have root permissions on that machine. Disks, Partitions, and File Systems 1 Commands, topics, and features covered Use the on-line help (man command) for the commands listed below for more information. ➢ df – show mounted partitions and amount of used/free space ➢ du – recursively display disk usage in directories ➢ eject – unmount and eject a CDROM ➢ fdisk – to display, create, delete, and manage partitions; option -l is very useful ➢ file – determine what kind of thing a pathname is. Can show partition file system types using option -s and will follow (dereference) symbolic links using option -L (upper case) ➢ mkfs – create a file system on a device, usually a hard disk partition. ➢ mkswap – initialize a partition for use as a Linux swap partition. ➢ mount – mount a file system existing on some device into the main file system tree. ➢ swapon – tell the Linux kernel to use an initialized swap partition.
    [Show full text]
  • Aligning Partitions to Maximize Storage Performance
    An Oracle Technical White Paper November 2012 Aligning Partitions to Maximize Storage Performance Aligning Partitions to Maximize Storage Performance Table of Contents Introduction ......................................................................................... 4 Preparing to Use a Hard Disk ............................................................. 6 How Disks Work.............................................................................. 6 Disk Addressing Methods ............................................................... 7 Hard Disk Interfaces ....................................................................... 7 Advanced Technology Attachment (ATA) ..............................................8 Serial ATA (SATA)..................................................................................8 Small Computer System Interface (SCSI) ..............................................8 Serial Attached SCSI (SAS) ...................................................................8 Fibre Channel (FC).................................................................................8 iSCSI ......................................................................................................8 Storage Natural Block Sizes ........................................................... 9 Applying Partitions to Disk Drives ..................................................... 10 Changing Standards for Partitioning ............................................. 10 How Changing Standards Affect Partition Tools and Alignment... 11 Using
    [Show full text]
  • Red Hat Enterprise Linux 4 System Administration Guide
    Red Hat Enterprise Linux 4 System Administration Guide Red Hat Enterprise Linux 4: System Administration Guide Copyright © 2005 Red Hat, Inc. Red Hat, Inc. 1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA rhel-sag(EN)-4-Print-RHI (2005-06-06T17:10U1) Copyright © 2005 by Red Hat, Inc. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries. All other trademarks referenced herein are the property of their respective owners. The GPG fingerprint of the [email protected] key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E Table of Contents Introduction.......................................................................................................................................... i 1. Changes To This Manual ....................................................................................................... i 2.
    [Show full text]
  • Managing ZFS File Systems in Oracle® Solaris 11.4
    ® Managing ZFS File Systems in Oracle Solaris 11.4 Part No: E61017 February 2021 Managing ZFS File Systems in Oracle Solaris 11.4 Part No: E61017 Copyright © 2006, 2021, Oracle and/or its affiliates. License Restrictions Warranty/Consequential Damages Disclaimer This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. Warranty Disclaimer The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. Restricted Rights Notice If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or
    [Show full text]
  • Design of a Dynamic Boot Loader for Loading an Operating System
    Journal of Computer Science Original Research Paper Design of a Dynamic Boot Loader for Loading an Operating System 1Alycia Sebastian and 2Dr. K. Siva Sankar 1Research Scholar, Department of Computer Science and Engineering, Noorul Islam Centre for Higher Education, Tamil Nadu, India 2Department of Information Technology, Noorul Islam Centre for Higher Education, Tamil Nadu, India Article history Abstract: Boot Loader is the crucial program that loads the operating Received: 26-08-2018 system in memory and initializes the system. In today’s world people are Revised: 22-09-2018 constantly on move and portable system are in demand specially the Accepted: 25-01-2019 USB devices due to its portability and accessibility compared to CD/DVD drives. The purpose of this paper is to design a dynamic boot loader which Corresponding Author: Alycia Sebastian removes the BIOS dependency and allow user to boot from USB without Department of Computer changing CMOS settings. The USB is devised as plug and play portable Science and Engineering, Noorul system with puppy Linux and newly developed dynamic boot loader. The Islam Centre for Higher device is experimented on a computer machine with 8 GB RAM, i5 Education, Tamil Nadu, India processor, 64-bit Operating system and windows 7 and observed that nearly Email: [email protected] 50% reduction in booting time i.e., the time spent in changing the boot order is eliminated compared to the static boot loader. The time spent in the BIOS is dependent on the user knowledge in changing the boot priority. The portable system allows the user to work in ease in any environment with minimum requirement of Windows XP and USB 2.0 compatible system.
    [Show full text]
  • Storage & File Systems
    6.2. HDDS 61 to them as pages). A reading/writing head per surface allows storing and reading data. Chapter 6 25 24 26 23 12 11 3 10 22 13 4 21 0 2 9 1 5 14 8 20 6 7 15 Storage & File Systems 19 16 18 17 How does your computer persistently store your data? 6.1 Storage Interface Figure 6.4: Left: schematic of an HDD with 3 platters. Right: geometry of a single platter with 3 tracks and a total of 27 pages. Definition 6.1 (Storage Device, Pages, Address Space). A storage device consists of n pages (also known as sectors or blocks in the literature) of fixed Remarks: size, e.g. 512 bytes per page. The address space of the device is 0 to n 1. To write to or read from a storage device, the OS specifies the address(es) of− the • One could put multiple read/write heads per surface into the HDD, page(s) it wants to access, and in case of a write, it also specifies the data to be or give each head its own motor to move independently of the others. written. Neither of these options is put into practice in modern HDDs. • Since inner tracks closer to the spindle cover less area than outer Remarks: tracks further away, inner tracks have fewer pages per track. • There are many different types of storage devices: HDDs, SSDs, tapes, • On real HDDs, the platter is often subdivided into zones of tracks DVDs, etc. where all tracks in a zone have the same number of pages.
    [Show full text]
  • Freenas® 11.1-U7 User Guide
    FreeNAS® 11.1-U7 User Guide January 2019 Edition FreeNAS® is © 2011-2019 iXsystems FreeNAS® and the FreeNAS® logo are registered trademarks of iXsystems FreeBSD® is a registered trademark of the FreeBSD Foundation Written by users of the FreeNAS® network-attached storage operating system. Version 11.1 Copyright © 2011-2019 iXsystems (https://www.ixsystems.com/) CONTENTS Welcome .............................................................. 8 Typographic Conventions ..................................................... 10 1 Introduction 11 1.1 New Features in 11.1 .................................................... 11 1.2 Changes Since 11.1 ..................................................... 13 1.2.1 U1 .......................................................... 13 1.2.2 U2 .......................................................... 13 1.2.3 U3 .......................................................... 14 1.2.4 U5 .......................................................... 14 1.2.5 U6 .......................................................... 14 1.2.6 U6.3 ......................................................... 14 1.2.7 U7 .......................................................... 14 1.3 Path and Name Lengths .................................................. 15 1.4 Hardware Recommendations ............................................... 16 1.4.1 RAM ......................................................... 16 1.4.2 The Operating System Device ........................................... 17 1.4.3 Storage Disks and Controllers ..........................................
    [Show full text]